Cover Image

Not for Sale



View/Hide Left Panel
Click for next page ( 46


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 45
45 with RMC and legal counsel concerning any third party The agency also limits which procurement personnel requests for MTA documents. have access to SSI. The RMP contains a section on exempt security- Agency A provides SSI training to all employees; the sensitive and privileged documents. The policy notes subject covered depends on the job category in question. that due to attacks, attempted attacks, and threats against facilities, MTA limits access to categories of B. Los Angeles County Metropolitan records that previously may have been publicly avail- Transportation Authority469 able. The intent of treatment of such documents under The Los Angeles County Metropolitan Transporta- the policy is to ensure that access will be limited to in- tion Authority (MTA) has a written records manage- dividuals with an actual need to know or work with the ment policy (RMP) to ensure compliance with the Cali- records. Section 2.1 of the RMP lists types of documents fornia Public Records Act, as well as the agency's to be considered security sensitive and specifies the statutory obligations concerning records disposition. need for separate maintenance in a secure environment The RMP covers creation, indexing, production, reten- of such documents.470 The RMP lists the following record tion, protection, security and disposition of agency re- categories as coming under the sensitive security classi- cords. Covered records include correspondence, memo- fication: construction records (design documents, final randa, reports, maps, tapes, photographic films/prints, as-built drawings required by contract); engineering charts, drawings, computer-generated and -maintained documents (detailed specifications, including geotechni- records, machine-readable records, and phonographic cal information); systems documents (describing how records. Email is covered as well. The MTA's Records safety- and security-related systems operate); opera- Management Center (RMC) is responsible for adminis- tions records (detailing movements to and from service tering the RMP, including providing training, while route); facility information (security and fueling system department heads are responsible for program compli- information); vehicle design documents; and security ance within their departments. Each department ap- records (documents describing MTA security re- points a records coordinator to work with the RMC, sponses). managing department records pursuant to RMC guide- lines. C. Agency C471 The RMC develops the agency's records retention Agency C is the organization responsible for capital schedule, which identifies categories of security- construction projects for a large multimodal transporta- sensitive documents. Any changes to the schedule are tion authority. Agency C works with sister agencies of reviewed by the agency's legal counsel. RMC periodi- the transportation authority. cally inventories department records to ensure compli- Agency C has an SSI handbook covering the follow- ance with the retention schedule. RMC oversees records ing elements: procedures for handling Agency C's SSI; inactivation, inactive records retrieval, and records de- roles and responsibilities of Agency C and vendor per- struction pursuant to the retention schedule. Sensitive sonnel; Agency C evaluation guide to identify types of security information is shredded, pulped, erased by information to be protected; information technology; permanent means, or otherwise made illegible and un- company nondisclosure and confidentiality agreements; usable. The RMP protocol for active file management re- 470 Section 2.1, Identifying Security Sensitive and Privileged quires maintaining security-sensitive documents such Records, specifically provides: as facility as-built drawings in secure locations sepa- RMC, along with each department shall identify security sen- rated from documents that are not confidential or secu- sitive documents that shall include, but not be limited to, the rity sensitive, with access limited to designated staff. construction of all MTA facilities; operation of light and heavy Each department is required to keep a list of designated rail systems; communication, power, control and emergency backup systems, emergency access. Ingress and egress methods personnel, along with their approved access levels. RMP and plans; bus scheduling process; personnel deployment plans; protocol also requires purging drafts, duplicates, and security plans and interagency emergency or security communi- nonsignificant working papers from active files on a cations; individual and computer system access codes and meth- regular basis. Sensitive security documents are re- ods; software; and other similarly related items. quired to be marked as such within the agency's docu- Any document considered security sensitive shall be main- ment management system. tained in a separate protected environment and may be retained with confidential records by RMC. The manner of protecting Only the RMC and legal counsel have the authority such documents shall be dictated by the form and condition of to determine which records are available to the public. the particular record. Once a document is identified as security All agency employees receive training to this effect, sensitive, access to it shall be immediately limited, and as ap- including being put on notice that they are to consult propriate, moved to a secure location. The document may be cop- ied to a protected environment to protect the information or to limit its availability to those persons authorized to access the in- 469 The description of LACMTA's records management prac- formation. 471 tices is based on a review of the agency's Records Management The description of Agency C's security/procurement prac- Policy. The records management services can be reviewed at tices is based on a review of the company's Security Sensitive http://www.metro.net/about/library/records-services/records- Information Handbook, which identifies procedures to be used management/records-services/. during implementation of Agency C security projects.

OCR for page 45
46 Agency C nondisclosure and confidentiality agreements Using a firewall security system for SSI informa- for individuals; employee employment and resume veri- tion technology storage systems. fication; and procurement procedures. Encrypting SSI data transfer. Personnel involved in Agency C's SSI process in- Requiring security training for personnel with ac- cludes the Agency C security officer, who is responsible cess to SSI information technology systems. for implementing and overseeing SSI procedures and Centralizing physical storage of SSI as much as key in deciding what information is protected; the practicable. agency security officer, who is the SSI point person for Prohibiting removal of SSI from work area without the sister agency, assisting the Agency C security offi- Agency C authorization. cer in implementing required briefings and training; Once projects are complete, using card readers to and the Agency C/agency project manager, who is au- track access to storage locations. thorized to handle SSI. The security officers must be Establishing system to ensure reproduction of SSI U.S. citizens or permanent residents. Both the project is held to a minimum and accomplished by authorized manager and all Agency C/agency employees involved employees; marking copies as originals are marked. in supervising consultants, contractors, and subcontrac- Destroying SSI to prevent unauthorized retrieval; tors of projects related to Agency C SSI are required to logging destroyed documents through document control sign NDAs and undergo employment and resume verifi- system (date of disposal, identification of material de- cation, as are all vendor project managers, principals of stroyed, signature of individuals designated to destroy vendor companies, and vendor employees working on and witness destruction). design and construction of projects related to Agency C Transmitting SSI in a manner preventing loss or SSI. unauthorized access: receipt required; no marking on Agency C requires consultants and contractors to package to indicate inclusion of SSI; packages to be re- provide training to all of their employees authorized to turned if authorized recipients not present and not to be access Agency C SSI, with disclosure of SSI only au- left unattended. thorized as needed to perform official duties and on a Limiting access to need to know: necessary for re- need-to-know basis. Agency C receives a list of author- cipient's job performance, recipient has read and under- ized vendor employees. Vendors must have a document stands agency SSI procedures, and has signed NDA. control system to track the location and number of cop- ies of documents containing Agency C SSI. Vendors Additional security measures include requiring all must also develop an Information Technology System SSI documents to be marked as specified in the hand- Management Plan covering physical, operational, and book; maintaining lists of authorized internal and ex- personnel procedures; Agency C must approve the plan ternal SSI recipients, with individuals removed from and employees must undergo information technology the authorized list when their need to know expires; security awareness training. and maintaining a list of all individuals who have or Agency C policy ties these vendor security require- have had access, for investigative purposes; maintain- ments to the procurement process by mandating that ing a document control system with log information as they be made a material condition of contracts that re- specified in the handbook. quire access to Agency C SSI, with the contracts subject Agency C's audit program evaluates consultant and to termination for default where willful misconduct or vendor compliance with the security requirements set lack of good faith leads to noncompliance. Vendors are forth in the handbook. also required to include these provisions in all subcon- Project managers are responsible for developing pro- tracts. Once a contract containing SSI is completed, the ject-specific evaluation guides based on the agency's vendor must return all originals to Agency C and de- generic evaluation guide and for identifying information stroy all copies, following procedures set forth in the that must be treated as SSI pursuant to the project- handbook. specific evaluation guide. If a vendor employee believes Measures to safeguard SSI include: information not designated as SSI may or should be SSI, the individual should request an evaluation by the Prohibiting discussion of SSI in public conveyances project manager and protect the information accord- or places, via wireless phone or radio; limiting use of ingly until a decision is made. SSI that has been made discussion via speakerphone to closed-door locations. public should still be protected until the Agency C secu- Storing SSI with password protection or in secure rity officer makes a formal decision. containers with no indication that containers store SSI; Agency C's NDA covers the scope of SSI, obligations maintaining list of individuals with access to each con- of nondisclosure, requirements for protection of infor- tainer. mation (including notifying Agency C of any subpoenas Removing SSI from information technology system for SSI), and return of information. Potential recipients when no longer required to be on system. of SSI are given a copy of the SSI handbook and are Maintaining physical security to prevent unau- required to execute and affidavit acknowledging receipt thorized access to hardware and software related to of the handbook. SSI, e.g., by requiring User IDs and keeping unat- The handbook recommends that Agency C only re- tended information technology systems in locked space. lease bid documents containing SSI to bidders that have